Optimal Security Configuration for Windows

In the China-US Network War, I saw some hacked servers and found that most of the hacked servers were Nt/win2000 machines, which were terrible. Is Windows2000 really so insecure? In fact, windows 2000 contains many security functions and options. If you configure them properly, windows will be a safe operating system. I flipped through some websites and sorted out a checklist by translation plus. Hope to help the win2000 administrator. There is nothing advanced in this article, and the so-called list is not perfect. Many things will be added later, hoping to give the Administrator a reference.

The specific list is as follows:
Elementary Security
1. Physical Security
The server should be placed in an isolated room with the monitor installed, and the monitor should keep camera records for more than 15 days. In addition, the chassis, keyboard, and computer desk drawer should be locked to ensure that others cannot use the computer even if they enter the room, and the key should be placed in another safe place.

2. Stop the Guest account
In a computer-managed user, the guest account is disabled, and the guest account is not allowed to log on to the system at any time. For the sake of security, it is best to add a complicated password to guest. You can open notepad and enter a long string containing special characters, numbers, and letters in it, copy the password of the guest account.

3. Limit the number of unnecessary users
Remove all duplicate user Accounts, test accounts, shared accounts, and common Department accounts. The User Group Policy sets the corresponding permissions and regularly checks the system accounts to delete accounts that are no longer in use. Many of these accounts are a breakthrough for hackers to intrude into the system. The more accounts there are, the more likely hackers are to gain legal user permissions. For nt/2000 hosts in China, if there are more than 10 system accounts, you can usually find one or two Weak Password accounts. I once found that 197 of the 180 accounts on a host are weak password accounts.

4. Create two administrator accounts
Although this seems to be in conflict with the above, it actually follows the above rules. Create a general permission account to receive emails and handle some daily tasks. The other account with the administrative permissions can only be used as needed. The administrator can use the "RunAS" command to execute some work that requires special privileges for convenient management.

5. Rename the system administrator account
As we all know, the administrator account of windows 2000 cannot be deactivated, which means that others can try the password of this account again and again. Renaming the Administrator account can effectively prevent this. Of course, please do not use Admin or other names. If you change it, you should try to disguise it as a common user, for example, change it to guestone.

6. Create a trap account
What is a trap account? Look!> Create a local account named "Administrator", set its permissions to the lowest level, and add a super complex password with more than 10 digits. In this way, the Scripts s can be busy for a while and Their intrusion attempts can be discovered. Or you can do something on its login scripts. Hey, enough damage!

7. Change the Shared File Permission from the "everyone" group to "authorized users"
"Everyone" in win2000 means that any user with the right to access your network can obtain the shared information. Do not set users who share files to the "everyone" group at any time. Including print sharing. The default attribute is the "everyone" group. Do not forget to change it.

8. Use a Secure Password
A good password is very important for a network, but it is the easiest to ignore. This may already be explained in the previous section. Some company administrators often use the company name, computer name, or other things as usernames when creating accounts, and then set the passwords of these accounts to N, for example, "welcome", "iloveyou", "letmein", or the user name is the same. Such an account should require the user to change to a complex password when logging on to the account first, but also pay attention to changing the password frequently. When IRC discussed this issue with people a few days ago, we defined a password that could not be cracked during the security period as a good password. That is to say, if someone else gets your password document, it takes 43 days or longer to crack it, and your password policy is 42 days to change the password.

9. Set screen saver password
It is easy and necessary. Setting Screen Protection passwords is also a barrier to prevent internal personnel from damaging the server. Be sure not to use OpenGL and some complex screen protection programs, waste system resources, and make it black. Also, it is better to add Screen Protection passwords to the machines used by all system users.

10. partition using NTFS format
Change all partitions on the server to the NTFS format. NTFS file systems are much safer than FAT and FAT32 file systems. Needless to say, everyone must have NTFS servers.

11. Run anti-virus software
I have never seen any anti-virus software installed on Win2000/Nt servers. In fact, this is very important. Some good anti-virus software can not only kill some famous viruses, but also kill a large number of Trojans and Backdoor programs. In this way, the famous trojans used by hackers are useless. Do not forget to update the virus database frequently.

12. ensure the security of the backup disk
Once the system data is damaged, backing up the disk is the only way to restore the data. After the data is backed up, the backup disk is protected in a safe place. Never back up data on the same server. In that case, it is better not to back up data.

Intermediate security:
1. Use win2000 security configuration tools to configure policies
Microsoft provides a set of security configuration and analysis tools based on MMC (Management Console). With these tools, you can easily configure your servers to meet your requirements. For details, please refer to the Microsoft homepage: http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp

2. disable unnecessary services
Windows 2000 Terminal Services, IIS, and RAS can bring security vulnerabilities to your system. In order to be able to manage servers remotely and conveniently, Terminal Services on many machines are on. If you have enabled the Terminal Services, make sure that you have configured the Terminal Services correctly. Some malicious programs can also run quietly in the form of services. Pay attention to all the services enabled on the server and check them every day. The following are the default services installed at the C2 level:
Computer Browser service TCP/IP NetBIOS Helper
Microsoft DNS server Spooler
Ntlm ssp Server
RPC Locator WINS
RPC service Workstation
Netlogon Event log

3. disable unnecessary ports
Disabling ports means reducing the number of features. You need to make a decision on security and functionality. If the server is installed behind the firewall, there will be fewer risks, but never think you can rest assured. Use a port scanner to scan the ports opened by the system to determine which services are open, which is the first step for hackers to intrude into your system. The/system32/drivers/etc/services file contains a list of well-known ports and services for reference. The specific method is:
Network neighbors> Properties> Local Connection> Properties> internet Protocol (TCP/IP)> Properties> advanced> Options> TCP/IP filtering> properties enable TCP/IP filtering and add the required tcp, udp protocol.

4. Open Audit Policy
Enabling security audit is the most basic Intrusion Detection Method for win2000. When someone attempts to intrude into your system in some ways (such as user passwords, Account Policies, unauthorized file access, etc.), they will be recorded by security review. Many administrators are unaware of system intrusion for several months until the system is damaged. The following reviews must be enabled, and others can be added as needed:
Policy Settings
System Login event review successful, failed
Account Management review successful, failed
Login event review successful, failed
Audit Object Access successful
Audit policy changed successfully, failed
Audit privilege usage successful, failed
System Event Review successful, failed

5. Enable Password Policy
Policy Settings
Password complexity must be enabled
Minimum Password Length: 6 Characters
Force password five times
Force password: 42 days

6. Enable Account Policy
Policy Settings
Reset Account lock counter for 20 minutes
Account lock time: 20 minutes
Account lock threshold three times

7. Set security record Access Permissions
The security record is unprotected by default. You can set it to be accessible only to the Administrator and system accounts.

8. store sensitive files in another file server
Although the server's hard disk capacity is very large, you should consider whether it is necessary to put some important user data (files, data tables, project files, etc) it is stored in another secure server and often backed up.

9. Do not allow the system to display the username of the Last login
By default, when the terminal service is connected to the server, the logon dialog box displays the account name for the last login, and the local Login Dialog Box is the same. This makes it easy for others to obtain some user names of the system for password speculation. You can modify the registry to prevent the user name that was last logged on from being displayed in the dialog box, specifically:
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/DontDisplayLastUserName
Change the key value of REG_SZ to 1.

10. Do not create a null connection.
By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the Registry to disable NULL connections:
Change the value of Local_Machine/System/CurrentControlSet/Control/LSA-RestrictAnonymous to "1.

10. download the latest patch from the Microsoft website.
Many network administrators do not have the habit of visiting secure sites, so that some vulnerabilities have been around for a long time, and server vulnerabilities are not enough to serve as targets. No one can guarantee that 2000 of the Code with millions of lines does not have any security vulnerabilities. They often visit Microsoft and some security sites to download the latest service pack and vulnerability patches, is the only way to ensure long-term security of servers.

Advanced
1. Disable DirectDraw
This is the requirement of C2 security standards for video cards and memory. Disabling DirectDraw may affect some programs that require DirectX (such as games, playing Starcraft on servers? My dizzy .. $ % $ ^ % ^ &??), However, the vast majority of commercial sites should be unaffected. Modify the Timeout (REG_DWORD) of the Registry HKLM/SYSTEM/CurrentControlSet/Control/GraphicsDrivers/DCI to 0.

2. Disable default share
After win2000 is installed, the system will create some hidden shares. You can click net share under cmd to view them. There are many articles about IPC intrusion on the Internet. I believe you will be familiar with it. To disable sharing, choose Administrative Tools> Computer Management> shared folders> share, right-click the shared folder, and click stop sharing. However, after the machine restarts, these shares will be re-enabled.
Default shared directory path and Function
C $ D $ E $ root directory of each partition. In Win2000 Pro, Only Administrator
And members of the Backup Operators group.
The Server Operatros group can also be connected to these shared directories.
ADMIN $ % SYSTEMROOT % shared directory for remote management. Its path will always be
Point to the Win2000 installation path, such as c:/winnt
FAX $ in Win2000 Server, FAX $ will arrive at the fax client when sending a FAX.
IPC $ null connection. IPC $ sharing provides the ability to log on to the system.
NetLogon: the Net Login service shared on the Windows 2000 Server
Used for login domain requests
PRINT $ % SYSTEMROOT %/SYSTEM32/SPOOL/DRIVERS remote printer Management

3. Disable dump file generation
Dump files are useful in searching for problems when the system crashes and the blue screen (or I will translate them into junk files literally ). However, it can also provide some sensitive information to hackers, such as the passwords of some applications. To disable it, Open Control Panel> System Properties> advanced> Start and fault recovery and change the write debugging information to none. You can open it again.

4. Use the file encryption system EFS
The powerful encryption system of Windows2000 can provide security protection for disks, folders, and files. This prevents others from attaching your hard disk to another machine to read the data. Remember to use EFS for folders, not just a single file. For more information about EFS, see the http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

5. encrypt the temp folder
Some applications will copy some items to the temp folder during installation and upgrade, but they will not clear the contents of the temp folder when the program is upgraded or disabled. Therefore, encryption to the temp folder provides multiple protection for your files.

6. Lock the Registry
In windows2000, Only administrators and Backup Operators have the permission to access the registry from the network. If you think it is not enough, you can further set the Registry access permissions, For details, see: http://support.microsoft.com/support/kb/articles/Q153/1/83.asp

7. Clear page files when shutting down
The page file, that is, the scheduling file, is a hidden file used by win2000 to store programs and data files that are not loaded into the memory. Some third-party programs can store unencrypted passwords in the memory, and the page files may contain other sensitive information. To clear the page file when shutting down, edit the Registry
HKLM/SYSTEM/CurrentControlSet/Control/Session Manager/Memory Management
Set ClearPageFileAtShutdown to 1.

8. Do not start the system from a floppy disk or CD Rom.
Some third-party tools can bypass the original security mechanism by guiding the system. If your server has high security requirements, consider using removable floppy disks and optical drives. It is a good method to lock the machine box.

9. Consider using a smart card instead of a password
The password is always a dilemma for the security administrator and is vulnerable to attacks by tools such as 10 phtcrack. If the password is too complex, the user will write the password everywhere in order to remember the password. If conditions permit, it is a good solution to replace complex passwords with smart cards.

10. Consider using IPSec
As the name implies, IPSec provides the security of IP packets. IPSec provides authentication, integrity, and optional confidentiality. The sender's computer encrypts the data before transmission, and the receiver's computer decrypts the data after receiving the data. IPSec can greatly enhance the security performance of the system.